Much of the fight for access to sensitive data in the enterprise happens on endpoints. Innovative technologies for defending such systems often originate from startups, which seek to detect, resist and sometimes deceive intruders and their malware. Consider asking—and answering—the following questions to assess the business model of endpoint security startups to make informed purchasing, investing or other strategic decisions related to this segment.
Relationship to Antivirus
Traditional approaches to defending endpoints from malware center on the use of antivirus software. Modern AV tools from respectable vendors are comprised of modules that can include file reputation checking, exploit protection, browsing oversight, behavioral anomaly detection and, yes, good old malware blacklists. Though the resulting anti-malware capabilities are more effective than those of yesteryear's antivirus products, their use alone is insufficient to protect endpoints in an enterprise environment.
Antivirus products, despite their weak spots, are grounded in both our psyche as well as enterprise control frameworks, industry best practices and compliance requirements. For better or for worse, many organizations see such tools as the foundation for locking down end-user's systems. Therefore, a company with a new endpoint security product should clearly explain for itself, its investors, partners and customers how its product relates to antivirus.
Questions that can help clarify the products relationship to antivirus are:
- How does the new endpoint security product differ from the capabilities available as part of modern antivirus suites?
- Is the product designed to replace antivirus software that's already installed on customers' systems, or will it reside on the endpoints alongside the existing antivirus tool?
- If the two will coexist, how well will they work together? Will they function independently in blissful ignorance of each other's existence, or will their joint presence make up for each product's weaknesses and magnify the strengths?
- Can the product be effective and sustainable as its own entity, or does it look like a feature that should be a part of an established product that safeguards endpoints, such as antivirus?
Though the questions above focus on antivirus, the nature of some endpoint security products will require asking about the product's relationship to other established technologies, such as security information management and network defense solutions.
When a novel product is introduced to the world, it can be hard for people to understand how it works and what benefit it provides over existing technology. Clarifying how the new endpoint security product compares to those that the audience knows about can pave the way towards a conversation about the value proposition. Such discussions will naturally lead to questions about other solutions that compete with the new product on the basis of their objectives and functionality.
As the result, the questions to ask in the context of technological competition include:
- Which of the existing companies that aim to protect endpoints do you consider your closes competitors? Perhaps the startup is looking to displace traditional antivirus or host-based intrusion prevention software? Maybe it aims to displace automated malware analysis sandbox products? Offers alternative incident response and live forensics capabilities?
- How does the new product compare to existing endpoint security solutions? For instance, is it more effective at blocking malware? Perhaps it detects malicious system-level activities more reliably? Does it offer better insights into adversaries' activities on the system? Is less burdensome to operate?
- Which of the competitors have the funding, customer recognition, and the ability to execute and, therefore, pose a meaningful competitive threat? It's hard to track all players in a crowded market, but it's reasonable to identify a few competitors that the company, its customers, partners and investors should have on their horizons.
There is a tendency among startups to say that they don't really have a competitor, perhaps because they use a novel approach to, say, detecting malware or tracking lateral movement of intruders in the enterprise. Though this turns out to be true sometimes, it's rare to see technology that is so novel that similar approaches weren't considered by other companies. If the company truly lacks a competitor, this might indicate that it might be too early for its time, and will fail to gain traction in a commercial setting despite its innovative technology.
Technological competition occurs not only in the way that a company solves a problem, but also in the type of problems it seeks to solve. For instance, a company that tries to spot malware using premonition magic is competing with a firm that uses telepathic omnipotence for malware detection, even if their products operate differently. With this in mind, consider the following questions as a supplement to the list above:
- Which existing companies try to solve the same endpoint security problems, even if they use a different approach to doing that?
- Which existing companies use similar technologies, but in a manner that solves different problems, possibly in a context other than endpoint security?
Budgetary and Time Competition
Even if products differ in how they work or what security problems they try to address, they often compete with each other for customers' funds. For instance, a prospective customer might have set money aside to strengthen endpoint protection by purchasing some event analytics software. That means that a firm wishing to help the customer resist infections will need to wait until next year's budget becomes available. Even then, the startup will need to fight for funds with other IT and security projects.
Along these lines, a prospective customer might be short on time and personnel to commit to evaluating and rolling out a new product, no matter how promising. In this case, the startup is competing for attention and related non-financial resources. The customer might like the new anti-malware technology and agree that it helps keep intruders at bay, but will decide to delay further discussions due to higher-priority issues demanding immediate focus.
Therefore, consider the following budgetary and time-related questions for endpoint security startups:
- From which budgetary buckets will the company's customers likely fund the purchase? If those buckets are empty, how long will it take the customer to refill them with new funds? Much depends on the timing of the budgeting cycle.
- Which existing initiatives are currently consuming the time and energy of the customers' personnel and might delay their evaluation, purchasing and deployment the product? If the start-ups product clearly solves an acute problem, there is a chance that existing efforts will be deprioritized, but that's unlikely.
- What is involved, in the terms of time and expertise, in rolling out and using the product to systems across the enterprise? Installing and configuring software on endpoints tend to be time-consuming, risky and, therefore, costly.
As niche as the endpoint security market might appear to outsiders, it includes many product categories. Some solutions focus on detection; others on prevention. Some try to protect access to the data; others concentrate on malware; yet others aim to spot anomalous activities. Some products attempt to block exploits; others address vulnerabilities. Securing the endpoint means different things to different people, which is why it's important for the startup to understand—and articulate to others—where it belongs within this segment and what problem it tries to solve.
The following questions can help establish how the startup might help its customers:
- What specific endpoint security problems does the product address? What other ways do prospective customers have of addressing these problems?
- What methods will the customer use to assess—during the sales and evaluation process—whether the product is likely to deliver on its promise?
- How and when will the customer be able to observe or measure the product's benefits after deploying it? Sometimes it takes a while for the benefits to become apparent. Is it worth bringing up the topic of security ROI?
- Will the product remain effective if adversaries change tactics? A product that is too specific might lose relevance if it targets a very specific attack scenario or method.
- Does the product work with the way enterprises are using endpoints today? For instance, does it offer protection to all the relevant OS platforms and applications, or is it compatible with Virtual Desktop Infrastructure (VDI) deployments?
There are a number of other factors that one needs to understand when building or interacting with a security start-up, many of them not specific to the endpoint security market. These include the firm's ability to reach customers, execute on its plans and stay in business long enough to achieve its potential.
A startup might possess innovative technology that addresses a real need, say a time-shifting quantum tracer with sub-instant attack attribution capabilities. Yet, the company will perish if it doesn't have a practical way of gaining access to prospective customers and persuading them of the product's benefits and feasibility. This is where having a strong, consultative sales force is critical:
- What is the startup's sales strategy?
- How will it hire and retain the right sales talent?
- What support from technical personnel will be required during the sales process?
Let's talk about the startup's leadership team:
- What experience do its members have in solving problems related to endpoints in an enterprise setting? What's their overall reputation in the industry?
- How is their security background and the ability to define and execute upon a business strategy?
- What's their plan to grow the team in an environment where attracting and retaining security talent and engineers is very difficult?
Lastly, there is much to be said about evaluating the startup's financial model. This topic is too extensive for this post, but you will benefit from reading an article on evaluating startup financial risk by Jonathan Lehr. At the very least, you want to make sure that the company has enough funds to deliver upon its promises and stay in business, or it has a reasonable way of obtaining the necessary funds to remain a viable business entity.
Many questions come to mind when one considers starting, joining, investing in or purchasing from a startup focused on safeguarding enterprise endpoints. If you have feedback on the ones I raised above, let me know via email or on Twitter. I'll be glad to hear from you.
If this topic interests you, take a look at my post outlining First Impression Tips for Security Startups.